All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Paris <eparis@redhat.com>
To: linux-audit@redhat.com
Subject: [PATCH 4/7] audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE
Date: Fri, 24 May 2013 12:11:47 -0400	[thread overview]
Message-ID: <1369411910-13777-4-git-send-email-eparis@redhat.com> (raw)
In-Reply-To: <1369411910-13777-1-git-send-email-eparis@redhat.com>

After trying to use this feature in Fedora we found the hard coding
policy like this into the kernel was a bad idea.  Surprise surprise.
We ran into these problems because it was impossible to launch a
container as a logged in user and run a login daemon inside that container.
This reverts back to the old behavior before this option was added.  The
option will be re-added in a userspace selectable manor such that
userspace can choose when it is and when it is not appropriate.

Signed-off-by: Eric Paris <eparis@redhat.com>
---
 init/Kconfig     | 14 --------------
 kernel/auditsc.c | 10 ++++------
 2 files changed, 4 insertions(+), 20 deletions(-)

diff --git a/init/Kconfig b/init/Kconfig
index 5341d72..2396945 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -272,20 +272,6 @@ config AUDIT_TREE
 	depends on AUDITSYSCALL
 	select FSNOTIFY
 
-config AUDIT_LOGINUID_IMMUTABLE
-	bool "Make audit loginuid immutable"
-	depends on AUDIT
-	help
-	  The config option toggles if a task setting its loginuid requires
-	  CAP_SYS_AUDITCONTROL or if that task should require no special permissions
-	  but should instead only allow setting its loginuid if it was never
-	  previously set.  On systems which use systemd or a similar central
-	  process to restart login services this should be set to true.  On older
-	  systems in which an admin would typically have to directly stop and
-	  start processes this should be set to false.  Setting this to true allows
-	  one to drop potentially dangerous capabilites from the login tasks,
-	  but may not be backwards compatible with older init systems.
-
 source "kernel/irq/Kconfig"
 source "kernel/time/Kconfig"
 
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f260281..bbc5a4f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1966,15 +1966,13 @@ static atomic_t session_id = ATOMIC_INIT(0);
 
 static int audit_set_loginuid_perm(kuid_t loginuid)
 {
-#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
 	/* if we are unset, we don't need privs */
 	if (!audit_loginuid_set(current))
 		return 0;
-#else	/* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
-	if (capable(CAP_AUDIT_CONTROL))
-		return 0;
-#endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
-	return -EPERM;
+	/* it is set, you need permission */
+	if (!capable(CAP_AUDIT_CONTROL))
+		return -EPERM;
+	return 0;
 }
 
 static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
-- 
1.8.2.1

  parent reply	other threads:[~2013-05-24 16:11 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-24 16:11 [PATCH 1/7] audit: implement generic feature setting and retrieving Eric Paris
2013-05-24 16:11 ` [PATCH 2/7] selinux: apply selinux checks on new audit message types Eric Paris
2013-05-24 16:11 ` [PATCH 3/7] audit: loginuid functions coding style Eric Paris
2013-05-24 16:11 ` Eric Paris [this message]
2013-05-24 16:11 ` [PATCH 5/7] audit: allow unsetting the loginuid (with priv) Eric Paris
2013-05-24 16:11 ` [PATCH 6/7] audit: audit feature to only allow unsetting the loginuid Eric Paris
2013-05-24 16:11 ` [PATCH 7/7] audit: audit feature to set loginuid immutable Eric Paris
2013-07-08 20:34   ` Steve Grubb
2013-07-08 20:51     ` Eric Paris
2013-07-08 21:26       ` Steve Grubb
2013-07-08 21:32         ` Eric Paris
2013-07-09 22:24           ` Steve Grubb
2013-07-09 23:51             ` LC Bruzenak
2013-07-10 13:46               ` Steve Grubb
2013-07-10 14:32                 ` LC Bruzenak
2013-07-10 18:16                   ` Eric Paris
2013-07-10 18:51                     ` LC Bruzenak
2013-07-10 19:02                       ` LC Bruzenak
2013-07-10 19:09                       ` Eric Paris
2013-05-24 16:28 ` [PATCH 1/7] audit: implement generic feature setting and retrieving Eric Paris
2013-05-24 20:41   ` William Roberts
2013-05-24 20:56     ` William Roberts
2013-05-30 17:20 ` Richard Guy Briggs
2013-07-08 20:28 ` Steve Grubb
2013-07-08 21:55   ` Eric Paris
2013-07-09  1:18     ` William Roberts
2013-07-09 18:30     ` Steve Grubb
2013-07-09 20:59       ` Eric Paris
2013-07-09 22:08 ` Steve Grubb
2013-11-02  7:26 ` Richard Guy Briggs
2013-11-02 14:44   ` Eric Paris
2014-08-22 21:58 ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1369411910-13777-4-git-send-email-eparis@redhat.com \
    --to=eparis@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.